Provides a middleware to represent the "security.txt" for ASP.NET Core applications. Security.txt is a proposed standard which allows websites to define security policies, more details see https://securitytxt.org/.
The security.txt page will be shown under /.well-known/security.txt
. Optionally, the url /security.txt
will be redirected to the main url.
Install the NuGet package CHG.Extensions.Security.Txt
.
There are 3 ways the content of the security.txt can be defined.
public void ConfigureServices(IServiceCollection services)
{
...
services.AddSecurityText(builder => ...);
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
...
app.UseSecurityText();
...
app.UseMvc();
}
You can use a predefined text file which is deployed with your application.
public void ConfigureServices(IServiceCollection services)
{
...
services.AddSecurityText(builder =>
builder.ReadFromFile(Environment.WebRootFileProvider.GetFileInfo("companySecurityinfo.txt"))
);
// or via path
services.AddSecurityText(builder =>
builder.ReadFromFile("./content/companySecurityinfo.txt"))
);
...
}
It's also possible to read the fields from the configuration.
public void ConfigureServices(IServiceCollection services)
{
...
services.AddSecurityText(builder =>
builder.ReadFromConfiguration(Configuration.GetSection("SecurityText"))
);
}
The json configuration file should look like:
{
"SecurityText": {
"Introduction": "The ACME Security information.",
"Contact": "mailto:[email protected];tel:+1-201-555-0123",
"Encryption": "https://example.com/pgp-key.txt",
"Signature": "https://example.com/.well-known/security.txt.sig",
"Policy": "https://example.com/security-policy.html",
"Acknowledgments": "https://example.com/hall-of-fame.html",
"Hiring": "https://example.com/jobs.html",
"Permission": "none",
"ValidateValues": true
}
}
or
{
"SecurityText": {
"Redirect": "https://example.com/.well-known/security.txt"
}
}
The fields can also be set via code:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddSecurityText(builder => { builder
.SetContact("mailto:[email protected]")
.SetPolicy("https://example.com/security-policy.html");
});
// or as a redirect
services.AddSecurityText(builder => { builder
.SetRedirect("https://example.com/.well-known/security.txt");
});
}
Per default all values (except when given via file) will be validated. The validation can be disabled either via the ValidateValues
configuration key when using config file or via the DisableValidation
method.
This project and everyone participating in it is governed by the CHG-MERIDIAN Code of Conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to [email protected].